API-resource security access quick reference
A summary of the MQOPEN, MQPUT1, MQSUB, and MQCLOSE options and the access required by the different resource security types.
Note:
Minimum RACF access level required RACF class: MXTOPIC MQQUEUE or MXQUEUE ( 1 ) MQADMIN or MXADMIN MQADMIN or MXADMIN RACF profile: ( 15 or 16 ) ( 2 ) ( 3 ) ( 4 ) MQOPEN option MQOO_INQUIRE READ ( 5 ) No check No check MQOO_BROWSE READ No check No check MQOO_INPUT_* UPDATE No check No check MQOO_SAVE_ALL_CONTEXT ( 6 ) UPDATE No check No check MQOO_OUTPUT (USAGE=NORMAL) ( 7 ) UPDATE No check No check MQOO_PASS_IDENTITY_CONTEXT ( 8 ) UPDATE READ No check MQOO_PASS_ALL_CONTEXT ( 8 ) ( 9 ) UPDATE READ No check MQOO_SET_IDENTITY_CONTEXT ( 8 ) ( 9 ) UPDATE UPDATE No check MQOO_SET_ALL_CONTEXT ( 8 ) ( 10 ) UPDATE CONTROL No check MQOO_OUTPUT (USAGE (XMITQ) ( 11 ) UPDATE CONTROL No check MQOO_OUTPUT (topic object) UPDATE ( 16 ) MQOO_OUTPUT (alias queue to topic object) UPDATE ( 16 ) UPDATE MQOO_SET ALTER No check No check MQOO_ALTERNATE_USER_AUTHORITY ( 12 ) ( 12 ) UPDATE MQPUT1 option Put on a normal queue ( 7 ) UPDATE No check No check MQPMO_PASS_IDENTITY_CONTEXT UPDATE READ No check MQPMO_PASS_ALL_CONTEXT UPDATE READ No check MQPMO_SET_IDENTITY_CONTEXT UPDATE UPDATE No check MQPMO_SET_ALL_CONTEXT UPDATE CONTROL No check MQOO_OUTPUT Put on a transmission queue ( 11 )
UPDATE CONTROL No check MQOO_OUTPUT (topic object) UPDATE ( 16 ) MQOO_OUTPUT (alias queue to topic object) UPDATE ( 16 ) UPDATE MQPMO_ALTERNATE_USER_AUTHORITY ( 13 ) ( 13 ) UPDATE MQCLOSE option MQCO_DELETE ( 14 ) ALTER No check No check MQCO_DELETE_PURGE ( 14 ) ALTER No check No check MQCO_REMOVE_SUB ALTER ( 15 ) MQSUB option MQSO_CREATE ALTER ( 15 ) ( 17 ) ( 18 ) MQSO_ALTER ALTER ( 15 ) ( 17 ) ( 18 ) MQSO_RESUME READ ( 15 ) ( 17 ) No check MQSO_ALTERNATE_USER_AUTHORITY UPDATE MQSO_SET_IDENTITY_CONTEXT ( 18 )
- This option is not restricted to queues. Use the MQNLIST or MXNLIST class for namelists, and the MQPROC or MXPROC class for processes.
- Use RACF profile: hlq.resourcename
- Use RACF profile: hlq.CONTEXT.queuename
- Use RACF profile: hlq.ALTERNATE.USER. alternateuserid
alternateuserid is the user identifier that is specified in the AlternateUserId field of the object descriptor. Note that up to 12 characters of the AlternateUserId field are used for this check, unlike other checks where only the first 8 characters of a user identifier are used.
- No check is made when opening the queue manager for inquiries.
- MQOO_INPUT_* must be specified as well. This is valid for a local, model or alias queue.
- This check is done for a local or model queue that has a Usage queue attribute of MQUS_NORMAL, and also for an alias or remote queue (that is defined to the connected queue manager.) If the queue is a remote queue that is opened specifying an ObjectQMgrName (not the name of the connected queue manager) explicitly, the check is carried out against the queue with the same name as ObjectQMgrName (which must be a local queue with a Usage queue attribute of MQUS_TRANSMISSION).
- MQOO_OUTPUT must be specified as well.
- MQOO_PASS_IDENTITY_CONTEXT is implied as well by this option.
- MQOO_PASS_IDENTITY_CONTEXT, MQOO_PASS_ALL_CONTEXT and MQOO_SET_IDENTITY_CONTEXT are implied as well by this option.
- This check is done for a local or model queue that has a Usage queue attribute of MQUS_TRANSMISSION, and is being opened directly for output. It does not apply if a remote queue is being opened.
- At least one of MQOO_INQUIRE, MQOO_BROWSE, MQOO_INPUT_*, MQOO_OUTPUT or MQOO_SET must be specified as well. The check carried out is the same as that for the other options specified.
- The check carried out is the same as that for the other options specified.
- This applies only for permanent dynamic queues that have been opened directly, that is, not opened through a model queue. No security is required to delete a temporary dynamic queue.
- Use RACF profile hlq.SUBSCRIBE.topicname.
- Use RACF profile hlq.PUBLISH.topicname.
- If on the MQSUB request you specified a destination queue for the publications to be sent to, then a security check is carried out against that queue to ensure that we have put authority to that queue.
- If on the MQSUB request, with MQSO_CREATE or MQSO_ALTER options specified, you want to set any of the identity context fields in the MQSD structure, you also need to specify the MQSO_SET_IDENTITY_CONTEXT option and you also need the appropriate authority to the context profile for the destination queue.
Parent topic: Profiles for queue security